Audits of 1000 Apps: The Good, the Bad and the Ugly of Open Source Use

Open source components are the foundation of today’s applications. Ineffective security and management of open source is pervasive.
That stark contrast marks Black Duck’s recently released 2017 Open Source Security and Risk Analysis (OSSRA), which is based on code audits of more than 1000 applications. Not surprisingly, 97% of the audited applications contained open source. Disturbingly, 67% of the applications contained known open source vulnerabilities.
In this webinar, Black Duck VP of Security Strategy Mike Pittenger will review the audit findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the economic and productivity value open source provides.

How has the massive security breach of 2017, caused by an unpatched open source vulnerability, impacted the way your company thinks about diligence for acquisitions? Whether you are on the buy-side and tightening your checklist to ensure ROI on an asset, or a seller looking to secure the best possible price, making sure there are no diligence surprises is key.
Undoubtedly your company has a list of items that it examines during diligence, and maybe open source license compliance is one. But has open source security risk made it onto the list yet? What are the implications of acquiring an Equifax level issue? The continued growth of the use of open source software underscores the importance of software diligence, and the increasing regulations and potential risks associated with data privacy magnify the point. Join Hal Hearst, Senior Product Manager and Phil Odence, Sr. Director & GM of Black Duck On-Demand for this webinar to examine how the Equifax breach impacted the world of open source, and what that means for your M&A diligence checklist.

While software grows more complex and the pace of development accelerates, the stakes for building secure software have never been higher. If you’re like most teams embracing a DevOps culture, you’re focused on breaking down silos, streamlining workflows, and cranking out functional software at a nearly continuous clip. Amid all these fundamental changes, how do you ensure your software is secure without clogging up the pipeline?

- Why it's important to build application security into your development and operations toolchains and processes
- Best practices for integration application security throughout the application lifecycle
- How to use SAST and SCA together to maximize the security of the software your teams deliver

DevOps organizations are increasing turning to container environments to meet the demand for faster, more agile software delivery. Container orchestration presents the most effective way to manage the operational challenges as these production environments scale. However, large-scale container deployments present a new array of security challenges, including how to properly manage open source security risk. A 2017 451 research report recently identified security as the single biggest hurdle to container adoption.

The challenges of managing security risk increase in scope and complexity with the size of your deployment and the number of open source software components that are a part of your application code base. In 2017, dozens of new CVEs were reported every day, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.

Join experts from Red Hat and Black Duck as they share the latest insights and recommendations for securing open source in your containers. You’ll learn:

- The role of containers in addressing some of the problems faced by teams moving to DevOps
- How OpenShift enhances that solution by answering questions of networking, image registries, deployment automation, application lifecycle, etc.
- Why container environments present new application security challenges, including those posed by open source
- How to scan applications running in containers to identify open source and map against known vulnerabilities
- Best practices and methodologies for deploying secure containers with trust

As development teams automate the software development lifecycle through the use of agile DevOps tools and practices, the need to mitigate open source risk throughout the DevOps tool chain has become critical.

Learn how to extract maximum value from your investment in Black Duck Hub through this in-depth webinar focused on:

- Vulnerability Triage—Ranking vulnerabilities in open source components by the risk of a successful attack and the potential impact on your business.
- Prioritization—Using Hub policy management to categorize development projects by security priority and to flag high-risk open source components.
- Remediation—Tracking the remediation status of all open source vulnerabilities in any given development project.

Data related web services are becoming important for enterprises for achieving their businesses goals. Web services create tremendous business value for them, but the improper use of web services could pose legal and security risks. At Black Duck, we have devised a technology that detects the usage of APIs in the source codes. Our technology automatically detects the legal agreements applicable to the usage of web services and quantify the legal and security risk associated with them. In this webinar, we will share the insights we gained by analyzing 300 real SaaS projects. In particular, we will discuss the relationship between legal documents, privacy, compliance and security risks that come with the usage of web services.

Agile development and DevOps are built on a foundation integrated and automated testing that happens throughout the development lifecycle. Rather than waiting for a testing phase that happens late in the cycle, software quality and security must be verified at every step. In this session you will learn how to validate open source security, compliance, and quality across the SDLC, from design phase to production deployment and beyond.

Craig Froelich is the chief information security officer (CISO) for Bank of America. He leads the Global Information Security team responsible for security strategy, policy, and programs. Before moving to Bank of America through acquisition, he was responsible for Countrywide’s cyber security technology, networks, crisis management, and security operations. Craig has over a decade of experience in product management and application development for software and hardware companies. He also serves on the board of FS-ISAC and the executive committee of BITS. On Twitter, he describes himself as “a SoCal dude learning to be a southern gentleman” as a Los Angeles transplant to Charlotte, North Carolina, where he lives with his family.

Listen as Gary and Craig discuss the role of the CISO in the financial services ecosystem and the newly released 2018 CISO Report.

Gain insights into these important legal developments from two of the leading open source legal experts, Mark Radcliffe, Partner at DLA Piper and General Counsel for the Open Source Initiative and Phil Odence, Sr. Director and General Manager at Black Duck Software by Synopsys. This annual review will highlight the most significant legal developments related to open source software in 2017, including:
- Current litigation
- An open source security update
- Blockchain and its forks
- Software Package Data Exchange (SPDX) and OpenChain
- GDPR
- And more
Live attendees will be receiving a CLE credit for this webinar.

Bruce Potter is CISO at Expel, where he is responsible for cyber risk and ensuring the secure operation of Expel’s services. Previously, Bruce co-founded Ponte Technologies (sold to KeyW Corporation). He then served as CTO at KeyW for 2 years. Before that, Bruce was a security consultant at Cigital. In a seemingly previous life, Bruce founded the Shmoo Group. To this day, he helps run the annual hacker conference ShmooCon. He has co-authored several books, including “802.11 Security,” “Aggressive Network Self-Defense,” and “Host Integrity Monitoring.” Bruce regularly speaks at DEF CON, Black Hat, and O’Reilly Security conferences. He lives in Maryland with his family.

Listen as Gary and Bruce discuss ShmooCon, the state of software security books, network security trends, hacking back, the relationship between preventative security engineering and operational security, DevOps, the CISO role, and more.

Vulnerabilities are an inevitable part of software development and management. Whether it’s open source or custom code, new vulnerabilities will be discovered as a code base ages. A 2017 Black Duck analysis of code audits conducted on 1,071 applications found that 97% contained open source, but 67% of the applications had open source vulnerabilities, half of which were categorized as severe. As the number of disclosures, patches, and updates grows, security professionals must decide which items are critical and must be addressed immediately and which items can be deferred.

Join Black Duck’s VP of Security Strategy, Mike Pittenger, for a 30-minute discussion of best practices in open source security and vulnerability management. You’ll learn:

- Methods for determining which applications are most attractive to attackers, and which pose the greatest risk
- Ways to assess the risk associated with a disclosed open source vulnerability
- Strategies to minimize the impact of open source security vulnerabilities when immediate fixes can’t be made

IT operations teams are now deploying and running hundreds or even thousands of containers at any given time. This rapid deployment surfaces challenges in validating the contents and security of container images being deployed. In this session, Black Duck container and virtualization expert Tim Mackey will provide an overview of technologies and solutions such as Red Hat OpenShift that enable organizations to deploy containers at scale securely.

In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.

Attend and you'll learn:

- How to maintain visibility and control for the open source deployed in hundreds of containers
- How to help your development and operations teams work together to maintain the security of containers in production
- How to build security into your deployment of container orchestration platforms
- Measures you can take to proactively identify risks and remediate risks on containers in production
- How you can use Black Duck OpsSight to scan containers being created, updated or deployed through their container orchestration platforms

DevOps teams are using cloud platforms and containers to build, deploy, and manage applications faster than ever, and utilizing large amounts of open-source software to increase agility. Google Cloud platform makes building and shipping containers even easier with Google Container Builder, Google Container Engine (GKE), and Google Container Registry (GCR). But when you deploy a container or cloud-native application, it’s hard to know exactly what contents are inside, and that can make managing security painful.
Secure DevOps means having full visibility and control of your software supply chain to implement security and governance policies. How do you protect your DevOps without slowing down? Join experts from Google and Black Duck to discuss how to secure the software supply chain including:
- Understanding the modern attack landscape
- How to select safe and healthy open source software in development
- How you can automate open source control and visibility in containers with Black Duck and both Google Container Builder and GCR
- The Grafeas and Kritis projects, and the work Google and Black Duck are doing to enhance security visibility and provide policy enforcement for containers.

Join Black Duck and Tech Contracts Academy as they discuss the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.

David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and will aim to educate participants on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.

The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities.

Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play.

Join Mike Pittenger and Bob Canaway as they discuss how organizations can more effectively manage open source, the strengths and weaknesses of testing methodologies in identifying vulnerable open source components, and how data privacy standards such as PCI, Section 5 of the FTC Act, and GDPR necessitate a change in how organizations address vulnerabilities in their code.

Matias Madou is a co-founder and the CTO of Secure Code Warrior, where he provides the company’s technology vision and oversees the engineering team. He has over 15 years of hands-on software security experience. Matias was a researcher at HP Fortify and a founder of Sensei Security. He also holds 10 patents and has been very active in technology transfer from the lab to commercial products. He’s a sought-after speaker as well, and we’re proud of his presence at the 2017 BSIMM Community Conference. Matias holds a Ph.D. in computer engineering from Ghent University and currently lives in Belgium with his family.

Recent news stories have attributed a major security breach to an exploit of a vulnerability in an open source framework widely used by Fortune 100 companies in education, government, financial services, retail and media.

The incident shines a light on the need for organizations to carefully manage the open source they use to protect themselves—and their customers—from the consequences of catastrophic security breaches.

“The Basics of Open Source Security” will arm you with the information and statistics needed to:

-Explain the importance of open source security to your organization
-Define a clear roadmap for identifying, managing, and securing the open source you have in use
-Take the steps to help your company avoid becoming the next security breach media story

Cybersecurity has become one of the areas where substantive diligence should be conducted not as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. The continued growth in the use of open source software underscores the importance of thorough software due diligence. This webinar examines key open source software-related issues and deal points in M&A, licensing and other transactions. Understanding these key legal and technical risks, as well as strategies for mitigating them, will help you speed and smooth negotiations, avoid protracted due diligence and get better deal terms.

DevOps teams are building applications faster than ever before, and utilizing large amounts of open-source software to increase agility. However, that introduces the possibility of open-source security risk. The landscape of attacks has changed in recent years, with cyber-attacks increasingly happening on the application layer. This means DevOps teams need to be involved in the security process.

This task is made more daunting as modern applications are a mix of custom code and open source in their applications. How do you protect your DevOps? Register for this webinar where security experts from Micro Focus Fortify and Black Duck discuss:
- Understanding the mindset of an attacker
- Ways to automate the process of risk identification
- The ability to gate builds when finding risk elements

Equifax confirmed that their high profile, high impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail and media.

This breach highlights the need for visibility and control into the open source in use at organizations of all sizes. As the Equifax incident shows, open source security breaches can have devastating impacts for your users as well as your brand reputation, legal exposure, and revenue.

In this webinar, Black Duck open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front page news story:

- Why should organizations prioritize open source vulnerability management?
- How could a known vulnerability like this go undetected for so long?
- What is CVE-2017-5638 in depth and how can hackers exploit it?
- How can you win the race against hackers and avoid risks from future vulnerabilities?

Nicole Perlroth covers cyber security for the New York Times. Before joining the San Francisco bureau in 2011, she was deputy editor at Forbes where she covered venture capital and web start-ups. Nicole is the recipient of several journalism awards for her reporting on efforts by the chinese government to steal military and industrial trade secrets. She is currently working on a cyber security book, This Is How They Tell Me the World Ends for Penguin/Portfolio (2017). She holds a B.A. in Politics and Near Eastern Studies from Princeton and a M.A. in Journalism from Stanford. She’s a native of the Bay Area where she still lives.

Listen as Gary and Nicole talk about life as a cyber security journalist, being a woman in the security industry, and playing up the sex appeal of cyber security.

• New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices.
• Best practices for designing and incorporating an automated approach to application security into your existing development environment.
• Future development and application security challenges organizations will face and what they can do to prepare.